Mozilla patches cross-browser Firefox flaw

Firefox 2.0.0.5 contains a patch for the MFSA 2007-23 vulnerability

Mozilla has issued a new version of Firefox that includes a fix for the highly-publicised cross-browser vulnerability. 

Firefox 2.0.0.5 contains a patch for the MFSA 2007-23 vulnerability which could allow an attacker to execute arbitrary code on a system using specially-crafted JavaScript code.

The open source browser would normally restrict the level of access given to such code, but when the code is delivered through Internet Explorer the restrictions are not in place.

An attacker could simply attach the malicious code to a URL instructing Internet Explorer to launch Firefox and run the exploit.

A similar flaw was later found to exist in AIM instant messaging clients. The researchers who discovered the AIM flaw suggested that both vulnerabilities are down to the way the Uniform Resource Identifiers are handled. 

Mozilla stressed that the fix will only prevent the Firefox end of the attack. Microsoft said that it is investigating the Internet Explorer reports. 

Along with the cross-browser vulnerability, two further critical flaws were addressed in the Firefox update.

The first allowed attackers to execute arbitrary code by way of what Mozilla categorises as "an unspecified element outside a document".

The other is for vulnerabilities in the Firefox JavaScript engine that could allow for an application crash and memory corruption if exploited.

The update also includes fixes for a pair of cross-site scripting vulnerabilities and a flaw that could allow an attacker to access a user's web cache.

The update is available through the Firefox website or through the browser's automatic update feature.